Security Testing Tips: How to practice social engineering attacks?

Security Testing Tips
Security Testing Tips

Exercise #1: How to guess the password category?
Example: Would the password have movie character name? Would the password have some place name?
1. In the middle of nowhere, ask questions like;
A. Does your password end with numbers? And that’s 123?
B. our password has some meaningful word without numbers and special characters?
C. Your password contains some name of a person?
D. Your password is not more than 10 characters?
2. Watch out for physiological expressions of the target. However, you got to practice to get some information from physiological expressions, but it is easy and many people do not know to control their expressions when such questions asked unless they have practiced to stay neutral.

Exercise #2: How to get inside any corporate premises with security guard?
You could try one of these.
1. Be confident and be well-dressed so that security folks think that you are a big guy and they let you in without asking many questions.
2. Make security guard your friend by talking to him and asking personal questions like, where are you from? What do you like? And make sure you act like as though you agree to him and encourage in whatever he says. That may make him like you and let you in.
These 4 were just the examples, form your own exercises & perform them to build the mind-set and skill-set of social engineering attacks.

Exercise #3: How to spy on your friend’s or enemy’s computer activity who lives in different country?
You want to be in India and spy on friend’s / enemy’s computer activity who lives in Australia. Your task is get the log file of every activity done, starting from keystrokes, websites visited, files opened, mouse co-ordinates etc. How would you do it?
1. Download the keylogger (Well, before you do so; be aware of keyloggers which could hack you once you install).
2. Find out the interests of your friend / enemy (Elicitation / Information Gathering) which would make him / her to download and install the file that you are sending over e-mail.
3. Bind the software that your friend / enemy are interested in with the keylogger. Not sure if IExpress Wizard still works on Windows OS (Go to Run and try iexpress). If it wasn’t successful, there are many software binders available over the web. Choose one.
4. Send an e-mail with content like, “Hey, you were looking for this pirated copy of this software. I have found it. Download and install the *.exe that I have e-mailed.

Well, if the target falls into the trap; then he / she ends up in installing keylogger in the background while trusted software is being installed in the foreground. So, the target doesn’t get to know about the keylogger being installed.

Wait, there is one important point; how would you get the logs? Before binding the software, edit the SMTP configuration and enter your e-mail address to which you want to receive the log file of target. Then, build the *.exe with edited SMTP configuration and then you can bind the software(s) as mentioned above.

It works!
Here is something that you may be interested in: Keyloggers could be used as recording the steps performed when you find a bug. Now, you see the two sides of keylogger. It depends on how you use it. Example: Gun used by police and terrorists, but for different activities.

Tip: Try Kali Linux Social Engineering Toolkit for attacks

Disclaimer: I am not responsible if you try bypassing some security in physical infrastructure to practice social engineering attacks. Example: Do not carry weapons or harmful items which may get you behind the bars. Carrying food items in a movie theatre might be good example as security checks will just ask you to leave it out if they find it. Be sensible and careful with your exercises. Do it for educational purpose only.

https://i2.wp.com/www.testingcircus.com/wp-content/uploads/security-testing-9.jpg?fit=300%2C300&ssl=1https://i2.wp.com/www.testingcircus.com/wp-content/uploads/security-testing-9.jpg?resize=150%2C150&ssl=1Santhosh TuppadSecurity Testing TipsSecurity Testing TipsSecurity Testing Tips: How to practice social engineering attacks? Exercise #1: How to guess the password category? Example: Would the password have movie character name? Would the password have some place name? 1. In the middle of nowhere, ask questions like; A. Does your password end with numbers? And that’s 123? B. our password has...
The following two tabs change content below.
Santhosh Tuppad is the Cofounder & Software Tester of Moolya Software Testing Private Limited (www.moolya.com). He also won the uTest Top Tester of the Year 2010 apart from winning several testing competitions from uTest and Zappers. Santhosh specializes in exploratory testing approach and his core interests are security, usability and accessibility amidst other quality criteria. Santhosh loves writing and he has a blog http://tuppad.com/blog. He has also authored several articles and crash courses in the past. He attends conferences and confers with testers he meets. Santhosh is known for his skills in testing and you should get in touch with him if you are passionate about testing.